Vulnerability Description
An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | < 1.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/lunary-ai/lunary/commit/9eb9e526edff8bf82ae032f7a04867c8d5857Patch
- https://huntr.com/bounties/ccc291db-ae9c-403c-b6b5-6fe3f4800933ExploitIssue TrackingPatch
- https://github.com/lunary-ai/lunary/commit/9eb9e526edff8bf82ae032f7a04867c8d5857Patch
- https://huntr.com/bounties/ccc291db-ae9c-403c-b6b5-6fe3f4800933ExploitIssue TrackingPatch
FAQ
What is CVE-2024-1626?
CVE-2024-1626 is a vulnerability with a CVSS score of 8.1 (HIGH). An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to m...
How severe is CVE-2024-1626?
CVE-2024-1626 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-1626?
Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.